The cryptographic power of misaligned reference frames 
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Suppose that Alice and Bob define their coordinate axes differently, and the change of reference 
frame between them is given by a probability distribution p over SO(3). We show that this uncer- 
tainty of reference frame is of no use for bit commitment when fi is uniformly distributed over a 
(sub) group of SO (3), but other choices of \i can give rise to a partially or even asymptotically secure 
bit commitment. 
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It has been one of the goals of quantum information 
theory to find new cryptographic applications of quan- 
tum physics. The prime and most successful example 
of such an application is the protocol of quantum key 
distribution developed by Bennett & Brassard in 1984 
0, which implements a cryptographic primitive that is 
impossible to obtain via classical means. 

Another cryptographic primitive of great interest is se- 
cure bit commitment. Bit commitment protocols typi- 
cally involve two phases: a commit phase, in which Alice 
commits to a bit b (called the message), and the reveal 
phase, when Bob learns b. The requirements for secure 
bit commitment are that the protocol is (at least approx- 
imately) sound, meaning that when both parties are hon- 
est Bob accepts the message b; binding, meaning that af- 
ter the commit phase, a cheating Alice will never be able 
to reliably convince Bob of more than a single value of b 
(although she may force Bob to abort the protocol); and 
concealing, meaning that a cheating Bob cannot learn 
the value of b before the reveal stage, irrespective of his 
cheating strategy (of course, no guarantees are possible 
if both parties cheat). 

Unlike the case of key distribution, neither classical 
nor quantum resources suffice for secure bit commitment 
under general circumstances 0- S 01- n ot even when 
both parties participating in the protocol are restricted 
by local superselection rules However, it is pos- 

sible to build secure bit commitment using additional 
assumptions, such as the hardness of performing certain 
calculations in polynomial-time 0, 0] or, in the classical 
case, the availability of a known, noisy (i.i.d.) channel 
between the parties (see Ref. Q and references therein) . 

This Letter is concerned with the possibility of secure 
quantum bit commitment when the spatial frames of ref- 
erence between the parties are misaligned. Depending on 
a single qubit's physical implementation, its definitions 
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of |0) and |1) are given by a local measurement setting 
which may be directionally dependent. For example, a 
spin qubit realization will depend on the orientation of 
locally applied magnetic fields and qubits based on po- 
larization degrees of freedom will depend on the local 
settings of polarization filters. This means that between 
different locations there may be a misalignment of such 
spatial frames. Misaligned reference frames could also 
arise in a (special) relativistic setting 9]. Assume that 
Alice's inertial frame moves at relative velocity v with 
respect to Bob and Alice and Bob have partial infor- 
mation about this velocity. This implies that quantum 
information sent between the parties is subject to uni- 
tary transformations representing boosts in the Lorentz 
group. 

Several recent papers have studied the problem of mis- 
aligned reference frames. Researchers have considered 
the task of communicating a reference frame or direction 
[ToL ITU Il2l If3 | , communication in the presence of mis- 
aligned reference frames |l4j| , or the cryptographic use of 
a private shared reference frame |15| . 

In our set-up we assume that Alice and Bob de- 
fine their computational bases {|0),|1)} differently. 
That is, suppose Alice uses {|CU), 11^)} and Bob uses 
{|0 B >, \1b)}- Let U = |0 B )(0 A | + \l B ){U\ be the 2 x 2 
unitary matrix relating these bases. If the reference 
frames are related by a 3-dimensional rotation R taken 
from probability measure /i, then via the homomorphism 
between SU(2) and SO (3), U £ SU(2) represents a 
sample from /i. The distribution /i captures Alice's and 
Bob's information, which we assume to be the same, 
about the misalignment between their reference frames. 
For example, if Alice and Bob have no knowledge about 
their misalignment, they assume that U is uniformly at 
random from SU(2). Partial but identical knowledge 
by both parties can be represented by a more involved 
distribution /i. The effect of the misalignment is that 
everything Alice sends to Bob is multiplied by U (in 
his frame of reference) and everything Bob sends to 
Alice will be multiplied by UK This is not unlike a 
noisy quantum channel. Notice, however, that unlike an 
ordinary quantum channel, no quantum information is 
destroyed by channel uses. For example, if Bob sends the 
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state back to Alice, she will recover her original message; 
or if Bob later learns an approximate description of U , 
then he can apply a unitary close to U* and obtain a 
state close to what Alice sent. Moreover, if Alice sends 
k qubits, the 'channel' applies a random U® k to the 
k qubits, unlike k independent copies of a standard 
channel. 

Our main goal in this Letter is to determine whether 
the no-go results for bit commitment still hold under the 
assumption of misaligned reference frames. Our results 
are two-fold. On the one hand, we prove that if fi is 
uniform over SU(2) or a subgroup of SU(2), then the 
standard security results of bit commitment still hold. 
On the other hand, we also show that there exists dis- 
tributions fx, albeit somewhat artificial, that give rise to 
asymptotically secure bit commitment. 

Let us now prove our first result, namely if the rotation 
relating Alice to Bob's reference frame is completely un- 
known, i.e. /i is a uniform distribution over (a subgroup 
of) SU(2), then bit commitment is impossible. 

Theorem 1 Let G be a subgroup of SU(2), and [i the 
uniform distribution over G. If there exists a bit com- 
mitment protocol V using misalignment characterized by 
\i, then there exists a protocol V 1 using a standard noise- 
less quantum channel and locally aligned reference frames 
with identical security parameters. 

The theorem shows that there is no gain in bit com- 
mitment security over what is possible in the standard 
scenario when the misalignment is taken uniformly at 
random in some group, for example rotations around 
some fixed axis in the Bloch sphere. Thus, as in the 
standard case, perfectly secure bit commitment is 
impossible for such misalignments Here is the proof of 
the theorem: 

Proof Given V, we construct V as follows. Alice and 
Bob choose random rotations U a and U b uniformly at 
random from G. The protocol V follows T 3 , but with the 
following changes: 

• Before sending any qubit, Alice applies Ua- 

• After receiving any qubit, Alice applies U A . 

• Before sending any qubit, Bob applies Ub- 

• After receiving any qubit, Bob applies U B . 

If both parties are honest, then V' functions the same 
way as T 3 , except with the reference frames of the two 
parties related by U b Ua- Since Ua and Ub are chosen 
uniformly at random, U b Ua is as well, and the protocol 
simulates V exactly. Therefore V is just as sound as V. 

Now suppose one party, say Bob, cheats. We can make 
no assumptions about Bob's actions, but since Alice is 
still honest, her random selection of Ua is enough to 
randomize her reference frame from Bob's point of view. 



Furthermore, she otherwise follows V, so Bob cannot dis- 
tinguish Alice's half of V from V being executed over a 
channel with a genuinely random rotation. Therefore V' 
is just as concealing as V . 

If instead Alice cheats, the same argument shows that 
V is just as binding as V. ■ 

We will now show that the conclusion of Theorem 1 
does not hold for general distributions /i. Since noisy 
classical channels can have a bit commitment capacity 
@ (which is achieved by coding), we may expect that 
a single use of such a channel could lead to a bit com- 
mitment that goes beyond what is possible without the 
noisy channel. In fact we will prove a stronger result, 
namely that there exists a distribution that allows for an 
asymptotically secure bit commitment. 

The classical protocols developed in Q are of the fol- 
lowing form, which we shall also employ: Alice chooses 
a set of codewords C a ,b, where b is the message (usually 
a single bit) to be committed and a is another index of 
arbitrary size that is picked randomly. She sends C a .b 
through the channel to commit to 6, and reveals b by 
sending (a, b). Bob will typically accept if there is a high 
likelihood that the noisy message that he received in the 
commit phase originated from the codeword C a ,b for the 
values of a, b that Alice gives him in the reveal phase. We 
cannot apply such a protocol directly since our 'misalign- 
ment channel' is not i.i.d. (independent and identically 
distributed) which rules out asymptotic coding results. 
Furthermore, we are considering quantum instead of clas- 
sical information. 

The latter issue is easily fixed. We will consider the 
limit in which the quantum information that Alice sends 
behaves classically, that is, Bob can perfectly (in the 
classical limit) distinguish the states |C aj h). In case we 
deal with 'misalignment channels' for photon polariza- 
tion, this means that Alice will send Bob a very bright 
beam of identically polarized photons, so that Bob can 
determine this polarization vector with high accuracy. If 
we are working with spins, the codewords that we will 
use will be spin J particles for J — > oo. 

Since any classical protocol has an underlying quan- 
tum mechanical implementation, one cannot exclude a 
priori the possibility for a coherent quantum attack, even 
though this kind of attack may be technically hard to 
implement in the classical limit. This kind of attack has 
been the main limitation to the security of quantum bit 
commitment 0-0- Et| In the coherent quantum attack Al- 
ice has an additional ancilla entangled with the codeword 
that she will send to Bob, i.e. she holds a purification of 
the state she sends to Bob. This may enable her to cheat 
at the revealing stage. However, for the schemes that we 
will consider, we can easily argue that such a cheating 
strategy will not give Alice extra power. We do this by 
demanding that an honest Bob always first measures the 
quantum state he obtains from Alice. Since we are in 
the classical limit, his measurement (of polarization or 
spin-direction) will hardly disturb the state, but it will 
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remove all entanglement between Alice's ancilla and the 
state that she sends. This means that, upon Bob's mea- 
surement (he acts like a decohering environment) we are 
now back in the situation where Alice sends the state 
\C' a ,b) with some probability. 

Thus we now show that for a certain distribution // 
over SO(3) there exists a classical scheme using three- 
dimensional vectors that gives rise to an asymptotically 
secure bit commitment. 

We start with an example inspired by |8| that demon- 
strates that some security gain is easily constructed. 
Ref. Q introduces a classical channel that inputs i 6 
{0, 1, 2, 3} and outputs i with probability 1/2 and i + 1 
(mod 4) with probability 1/2. Define codewords C a ,b = 
2a + b for a,b £ {0,1}. Bob accepts if Alice reveals 
a codeword that has nonzero (i.e. 1/2) probability of 
giving rise to what he received from the channel. The 
protocol is perfectly sound and concealing, but not bind- 
ing; Alice can cheat with probability 1/2. This security 
should be compared to the standard quantum or classical 
case where being perfectly sound and perfect concealing 
implies that Alice can cheat with probability 1. 

One use of this channel can be simulated by a frame 
shift that has probability 1 /2 of being the identity and 
probability 1/2 of being a rotation about the z-axis by 
it/2. The codewords are {x,y, —x, —y}- 

A similar, perhaps more natural, possibility is that 
the frame shift is a rotation about the z-axis by an an- 
gle that is uniformly distributed between and tt. Us- 
ing the same codewords, the protocol is still perfectly 
sound and concealing, but Alice can now interpolate be- 
tween committing to zero or one by sending the vector 
cos(a7r/2)x + sin(a7r/2)y for < a < 1. If she then 
reveals zero, Bob will accept with probability 1 — a/2, 
and if she reveals one, Bob will accept with probability 
(1 + a)/2. For Alice, passive cheating is defined as com- 
mitting honestly to a bit and then attempting to reveal 
something different; here her success probability is still 
1/2. However, if Alice chooses a = 1/2, then she can 
convince Bob of either bit with probability 3/4. 

These examples show that misaligned reference frames 
can offer small advantages in security over noiseless quan- 
tum communication. But can we do better? In the next 
section, we show that in fact any number of bits can be 
committed to any desired level of security for some dis- 
tribution [i. 



An Asymptotically Secure Scheme 



space. However, spatial reference frames are only three- 
dimensional objects which seems to suggest that only a 
partially secure bit commitment may be achievable. Our 
scheme overcomes this apparent problem by parametriz- 
ing three-dimensional vectors by coordinates of a d- 
dimcnsional lattice. 

Alice sends a vector v £ M 3 to Bob. In Bob's spatial 
frame of reference this vector looks like Rv for some ran- 
dom rotation R taken from the probability distribution 
\i. The distribution fi of R is the following. Let there be 
a set of angles 9 € {0\, 9 2 , . . ■ , C {\ which are not linearly 
related, meaning that for all integers (positive or nega- 
tive) n\, ri2, ■ ■ ■ , nd, J2i=i n $i — mod 7r if and only if 
m = n,2 = ■ ■ ■ = rid = 0. One of these angles 9 is picked 
uniformly at random. Then R is given by 



R 



cos 9 sin 9 
— sin 9 cos 9 
1 

cos 26* sin 29 
-sin 29 cos 29 
1 



with prob. 1/2, 



with prob. 1/2. 



(1) 



Let us describe our bit commitment protocol with this 
distribution /i, known to Alice and Bob. Let L be a 
positive integer. 

• Commit. To commit to b £ {0, 1}, Alice chooses 
a = (oi, . . . , ad) 6 {0, 1, . . . , L — l] d uniformly at 
random, but conditioned on a L = b mod 2. 

Let a(a) = X)f=i a ^- Alice sends the vector 
v — v(sl) — (cos a (a), sin a (a), 0). Bob receives 
this vector as Rv(&) = v(a!) with rotated angle 
a' = ^ - a'fti. He determines the c?-dimensional lat- 
tice vector a'. If he cannot find such a vector, he 
aborts the protocol. 

• Reveal. In the reveal phase, Alice simply sends 
the classical bits (6, a) to Bob. Bob accepts when 
b = J^i a i mod 2 and all coordinates of a — a' are 
except one for which a£ — is either 1 or 2. Oth- 
erwise he aborts. 

Let us now show that this protocol has the desired 
security properties. 

Soundness. We assume that both parties are honest. To 
understand a given realization of this protocol, let j be 
such that the randomly chosen 9 equals 9j. In that case 
the coordinates a' of a' are 



For our scenario we first assume that Bob can mea- 
sure the coordinates of a three-dimensional vector that 
he receives with infinite precision. We then argue that 
the security still holds in the case of finite precision. 

The idea behind the scheme is two-fold. We show that 
a single use of a channel can give rise to an (asymp- 
totically) perfectly secure commitment when the chan- 
nel acts on vectors in an arbitrarily high-dimensional 
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with prob. 1/2, 
with prob. 1/2. 



(2) 



Due to the linear independence of the 6*-angles Bob can 
perfectly compute a' £ {0, 1, . . . , L + l} d from v(sl ). Bob 
will accept Alice's message in the reveal phase since this 
vector a' is within distance 2 of the original a and the 
noise acts on only one of the coordinates. 
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Concealing. A bit commitment protocol is called e- 
concealing when for two different messages b — and 
6=1 the distributions over random variables as viewed 
by Bob are e-close with respect to their variation dis- 
tance. In our case Bob learns a', thus we consider the 
distance e = £ a , |P (a' | b = 0) - P (a' | b = 1) |. For an 
a' with all coordinates at least 2 and at most L we have 
P(a' | b = 0) = P(a' | b = 1). All other a's are 'bound- 
ary' cases, which we denote as a' £ B, for which these 
two conditional probabilities can be different. We upper 
bound this boundary term as 

|P(a'|6 = 0)-P(a'|6 = l)| < ^ P(a') < 



a'GS 



a'e/3 

'-''y i . p) 



which can be made arbitrarily small for large enough L 
for any fixed d. 

Binding. Consider Alice's cheating strategies. She could 
have sent a different vector, say w((3). In case w is not 
in the x-y plane or if (3 ^ b$i for some integers 
bi e {0, ...,£+ 1} Bob simply aborts. Alice could 
try to cheat by revealing an a* and b* ^ b that pass 
Bob's test. Alice's best option is to choose a* that is 
the same as a except, say, the fcth coordinate, which 
is aj£ = <2fc + 1. This implies that that the parity b* of 
a* is opposite to b. With probability l/d the noise acts 
on the fcth coordinate and so (a*, b*) passes Bob's test. 



The protocol is l/<i-binding. 

In reality we should assume that Bob can only deter- 
mine Rv with finite precision, which means that Bob 
finds some vector w at Euclidean distance < e from 
Rv. If s is small enough, we can ensure that for all 
x, y e {0, . . . , L + l} d , \v(x) ~ v(y) \\ > 2e, so Bob can 
still determine a' from w « Rv, if Alice behaves honestly. 

But what if Alice cheats and sends some arbitrary vec- 
tor w to Bob? Notice, however, that this strategy could 
only work if \\Rw — w(a')|| < e, which happens if and 
only if \\w — u(a)|| < e. In particular, a is the only d- 
dimensional vector such that w(a) is e-close to w. Thus 
if Alice later reveals a* ^ a, her cheating still succeeds 
only with probability < l/d. 

Remark: By increasing d and running the above proto- 
col in parallel several times, it is also possible to commit 
more than one bit. 

It remains an open problem to get a more complete 
overview of the (im)possibility of bit commitment for 
general distributions /i. In particular it would be inter- 
esting to find realistic noise models for, say, polarized 
photons, that would allow for secure or approximately 
secure bit commitment. 
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